SQL Server 2019中的证书管理

介绍 (Introduction)

Certificate Management in SQL Server 2019 has been enhanced a lot when compared with previous versions of SQL Server, and it is part of a large set of new features and enhancements in SQL Server 2019. The most significant enhancement is that that it now allows you to directly import SSL/TLS certificates into SQL Server, thus simplifying the entire process a lot.

与早期版本SQL Server相比,SQL Server 2019中的证书管理已得到了很大增强,并且它是SQL Server 2019中大量新功能和增强功能的一部分。最重要的增强在于,它现在允许您直接将SSL / TLS证书导入SQL Server,从而大大简化了整个过程。

Before going into detail and see how we can use the enhanced certificate management in SQL Server 2019, first let’s talk a bit about SSL/TLS certificates, as well as discuss about how we can import SSL/TLS certificates in previous versions of SQL Server and thus encrypt connections to SQL Server.

在详细介绍并了解如何在SQL Server 2019中使用增强的证书管理之前,首先让我们先谈一下SSL / TLS证书,以及讨论如何在SQL Server的早期版本和Windows Server 2003中导入SSL / TLS证书。从而加密与SQL Server的连接。

SSL/TLS certificates can be used by SQL Server in order to encrypt all communication between a SQL Server instance and its client connections, by encrypting the communication channel. You can either “force encryption” for all connections, or leave it up to each client (i.e. application) to decide if encryption should be used.

SQL Server可以使用SSL / TLS证书,以便通过加密通信通道来加密SQL Server实例与其客户端连接之间的所有通信。 您可以为所有连接“强制加密”,也可以由每个客户端(即应用程序)决定是否应使用加密。

On the below screenshot, you can see the “Force Encryption” option:

在下面的屏幕截图中,您可以看到“强制加密”选项:

SQL Server 2019中的证书管理_第1张图片

Personally, I would recommend that by the time you are setting up SSL/TLS encryption for your SQL Server instance, to set “Force Encryption” to “Yes” in order for SQL Server not to accept unencrypted connections. This of course assumes that prior to applying the certificate and setting this flag to “Yes”, you have extensively tested all applications/clients that connect to your SQL Server instance and verified that they can connect using the encrypted channel without any issues.

就个人而言,我建议您在为SQL Server实例设置SSL / TLS加密时,将“强制加密”设置为“是”,以使SQL Server不接受未加密的连接。 当然,这假定在应用证书并将此标志设置为“是”之前,您已经对连接到SQL Server实例的所有应用程序/客户端进行了广泛的测试,并验证了它们可以使用加密通道进行连接而没有任何问题。

证书管理直至SQL Server 2017 (Certificate Management up to SQL Server 2017)

When deploying SQL Server, there are 3 deployment options. Therefore, you can either:

部署SQL Server时,有3个部署选项。 因此,您可以:

  • Set up a standalone SQL Server machine

    设置独立SQL Server计算机
  • Set up a SQL Server Failover Cluster Instance (FCI)

    设置SQL Server故障转移群集实例(FCI)
  • Set up a SQL Server Always On Availability Groups deployment over at least two machines

    在至少两台计算机上设置SQL Server Always On可用性组部署

Up to SQL Server 2017, in order for an SSL/TLS certificate to be “visible” to SQL Server, the general idea was to import it into Windows\Local computers (Console Root\Certificates (Local Computer)\Personal\Certificates) and perform some additional steps.

在SQL Server 2017之前,为了使SSL / TLS证书对SQL Server可见,通常的想法是将其导入Windows \本地计算机(控制台根目录\证书(本地计算机)\个人\证书)和执行一些其他步骤。

Below, you can learn more about the procedure that was followed up to SQL Server 2017.

在下面,您可以了解有关SQL Server 2017后续步骤的更多信息。

独立SQL Server 2017计算机中的证书管理

你可能感兴趣的:(数据库,java,区块链,python,运维)